First published: Fri Jun 21 2019(Updated: )
Apache Tomcat is vulnerable to a denial of service, caused by HTTP/2 connection window exhaustion on write. By failing to send WINDOW_UPDATE messages, a remote attacker could exploit this vulnerability to block threads on the server and cause a denial of service.
Credit: security@apache.org security@apache.org security@apache.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/jws5-ecj | <0:4.12.0-1.redhat_1.1.el6 | 0:4.12.0-1.redhat_1.1.el6 |
redhat/jws5-javapackages-tools | <0:3.4.1-5.15.11.el6 | 0:3.4.1-5.15.11.el6 |
redhat/jws5-jboss-logging | <0:3.3.2-1.Final_redhat_00001.1.el6 | 0:3.3.2-1.Final_redhat_00001.1.el6 |
redhat/jws5-tomcat | <0:9.0.21-10.redhat_4.1.el6 | 0:9.0.21-10.redhat_4.1.el6 |
redhat/jws5-tomcat-native | <0:1.2.21-34.redhat_34.el6 | 0:1.2.21-34.redhat_34.el6 |
redhat/jws5-tomcat-vault | <0:1.1.8-1.Final_redhat_1.1.el6 | 0:1.1.8-1.Final_redhat_1.1.el6 |
redhat/jws5-ecj | <0:4.12.0-1.redhat_1.1.el7 | 0:4.12.0-1.redhat_1.1.el7 |
redhat/jws5-javapackages-tools | <0:3.4.1-5.15.11.el7 | 0:3.4.1-5.15.11.el7 |
redhat/jws5-jboss-logging | <0:3.3.2-1.Final_redhat_00001.1.el7 | 0:3.3.2-1.Final_redhat_00001.1.el7 |
redhat/jws5-tomcat | <0:9.0.21-10.redhat_4.1.el7 | 0:9.0.21-10.redhat_4.1.el7 |
redhat/jws5-tomcat-native | <0:1.2.21-34.redhat_34.el7 | 0:1.2.21-34.redhat_34.el7 |
redhat/jws5-tomcat-vault | <0:1.1.8-1.Final_redhat_1.1.el7 | 0:1.1.8-1.Final_redhat_1.1.el7 |
redhat/jws5-ecj | <0:4.12.0-1.redhat_1.1.el8 | 0:4.12.0-1.redhat_1.1.el8 |
redhat/jws5-javapackages-tools | <0:3.4.1-5.15.11.el8 | 0:3.4.1-5.15.11.el8 |
redhat/jws5-jboss-logging | <0:3.3.2-1.Final_redhat_00001.1.el8 | 0:3.3.2-1.Final_redhat_00001.1.el8 |
redhat/jws5-tomcat | <0:9.0.21-10.redhat_4.1.el8 | 0:9.0.21-10.redhat_4.1.el8 |
redhat/jws5-tomcat-native | <0:1.2.21-34.redhat_34.el8 | 0:1.2.21-34.redhat_34.el8 |
redhat/jws5-tomcat-vault | <0:1.1.8-1.Final_redhat_1.1.el8 | 0:1.1.8-1.Final_redhat_1.1.el8 |
Apache Tomcat | >=8.5.0<=8.5.40 | |
Apache Tomcat | >=9.0.1<=9.0.19 | |
Apache Tomcat | =9.0.0-m1 | |
Apache Tomcat | =9.0.0-m10 | |
Apache Tomcat | =9.0.0-m11 | |
Apache Tomcat | =9.0.0-m12 | |
Apache Tomcat | =9.0.0-m13 | |
Apache Tomcat | =9.0.0-m14 | |
Apache Tomcat | =9.0.0-m15 | |
Apache Tomcat | =9.0.0-m16 | |
Apache Tomcat | =9.0.0-m17 | |
Apache Tomcat | =9.0.0-m18 | |
Apache Tomcat | =9.0.0-m19 | |
Apache Tomcat | =9.0.0-m2 | |
Apache Tomcat | =9.0.0-m20 | |
Apache Tomcat | =9.0.0-m21 | |
Apache Tomcat | =9.0.0-m22 | |
Apache Tomcat | =9.0.0-m23 | |
Apache Tomcat | =9.0.0-m24 | |
Apache Tomcat | =9.0.0-m25 | |
Apache Tomcat | =9.0.0-m26 | |
Apache Tomcat | =9.0.0-m27 | |
Apache Tomcat | =9.0.0-m3 | |
Apache Tomcat | =9.0.0-m4 | |
Apache Tomcat | =9.0.0-m5 | |
Apache Tomcat | =9.0.0-m6 | |
Apache Tomcat | =9.0.0-m7 | |
Apache Tomcat | =9.0.0-m8 | |
Apache Tomcat | =9.0.0-m9 | |
Apache Tomcat | =9.0.0-milestone1 | |
Apache Tomcat | =9.0.0-milestone10 | |
Apache Tomcat | =9.0.0-milestone11 | |
Apache Tomcat | =9.0.0-milestone12 | |
Apache Tomcat | =9.0.0-milestone13 | |
Apache Tomcat | =9.0.0-milestone14 | |
Apache Tomcat | =9.0.0-milestone15 | |
Apache Tomcat | =9.0.0-milestone16 | |
Apache Tomcat | =9.0.0-milestone17 | |
Apache Tomcat | =9.0.0-milestone18 | |
Apache Tomcat | =9.0.0-milestone19 | |
Apache Tomcat | =9.0.0-milestone2 | |
Apache Tomcat | =9.0.0-milestone20 | |
Apache Tomcat | =9.0.0-milestone21 | |
Apache Tomcat | =9.0.0-milestone22 | |
Apache Tomcat | =9.0.0-milestone23 | |
Apache Tomcat | =9.0.0-milestone24 | |
Apache Tomcat | =9.0.0-milestone25 | |
Apache Tomcat | =9.0.0-milestone26 | |
Apache Tomcat | =9.0.0-milestone27 | |
Apache Tomcat | =9.0.0-milestone3 | |
Apache Tomcat | =9.0.0-milestone4 | |
Apache Tomcat | =9.0.0-milestone5 | |
Apache Tomcat | =9.0.0-milestone6 | |
Apache Tomcat | =9.0.0-milestone7 | |
Apache Tomcat | =9.0.0-milestone8 | |
Apache Tomcat | =9.0.0-milestone9 | |
redhat/Apache Tomcat | <9.0.20 | 9.0.20 |
redhat/Apache Tomcat | <8.5.41 | 8.5.41 |
maven/org.apache.tomcat.embed:tomcat-embed-core | >=8.5.0<8.5.41 | 8.5.41 |
maven/org.apache.tomcat.embed:tomcat-embed-core | >=9.0.0.M1<9.0.20 | 9.0.20 |
IBM GDE | <=3.0.0.2 | |
debian/tomcat9 | 9.0.43-2~deb11u10 9.0.70-2 9.0.95-1 |
pki-servlet-container does not use HTTP/2 in its default configuration.
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2019-10072 is a vulnerability in Apache Tomcat that allows clients to cause server-side threads to become exhausted.
CVE-2019-10072 has a severity rating of 5.3 (Medium).
Apache Tomcat versions 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 are affected by CVE-2019-10072.
Update your Apache Tomcat installation to version 9.0.20 or later (for 9.x) or version 8.5.41 or later (for 8.5.x).
You can find more information about CVE-2019-10072 at the following references: - [CVE-2019-10072](https://www.cve.org/CVERecord?id=CVE-2019-10072) - [NVD](https://nvd.nist.gov/vuln/detail/CVE-2019-10072) - [Apache Tomcat Security](http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.41) - [Bugzilla](https://bugzilla.redhat.com/show_bug.cgi?id=1723708) - [Red Hat Security Advisory](https://access.redhat.com/errata/RHSA-2019:3931)